Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
224 views

Automatic role assignment


Hi,

Greetings!

I have one requirement in IDM 402I, want to *automatically assign
ROLE(s)* to the user based on a perticualr attribute/condition.

1- when user first time created in IDM from authoratative source , few
"Birth right Role" to be assign
2- when a perticular attribute changes in user's profile (eg city value
changes) then the role assignment shoule be change ( remove one assigned
role & assigned one different role)

Please revert how can i achieve this in IdM 402.

Thanks in advance!


--
AMIT KUMAR SINGH
IdM Consultant
------------------------------------------------------------------------
ameet140's Profile: https://forums.netiq.com/member.php?userid=4993
View this thread: https://forums.netiq.com/showthread.php?t=48819

Labels (1)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Automatic role assignment

On 10/01/2013 08:04 AM, ameet140 wrote:
>
> Hi,
>
> Greetings!
>
> I have one requirement in IDM 402I, want to *automatically assign
> ROLE(s)* to the user based on a perticualr attribute/condition.
>
> 1- when user first time created in IDM from authoratative source , few
> "Birth right Role" to be assign
> 2- when a perticular attribute changes in user's profile (eg city value
> changes) then the role assignment shoule be change ( remove one assigned
> role & assigned one different role)
>
> Please revert how can i achieve this in IdM 402.
>
> Thanks in advance!
>
>

Greetings,
You would handle this with a Null driver and then create policy that
utilizes the Add/Remove Role actions.

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Knowledge Partner
Knowledge Partner

Re: Automatic role assignment

On 10/1/2013 9:00 AM, Steven Williams wrote:
> On 10/01/2013 08:04 AM, ameet140 wrote:
>>
>> Hi,
>>
>> Greetings!
>>
>> I have one requirement in IDM 402I, want to *automatically assign
>> ROLE(s)* to the user based on a perticualr attribute/condition.
>>
>> 1- when user first time created in IDM from authoratative source , few
>> "Birth right Role" to be assign
>> 2- when a perticular attribute changes in user's profile (eg city value
>> changes) then the role assignment shoule be change ( remove one assigned
>> role & assigned one different role)
>>
>> Please revert how can i achieve this in IdM 402.
>>
>> Thanks in advance!
>>
>>

> Greetings,
> You would handle this with a Null driver and then create policy that
> utilizes the Add/Remove Role actions.


Could you assign a role to a dynamic group and do it that way instead?

Are there any downsides to the dynamic group approach? (I.e. Loading up
RRSD?)


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Automatic role assignment

On 10/01/2013 09:28 AM, Geoffrey Carman wrote:
> On 10/1/2013 9:00 AM, Steven Williams wrote:
>> On 10/01/2013 08:04 AM, ameet140 wrote:
>>>
>>> Hi,
>>>
>>> Greetings!
>>>
>>> I have one requirement in IDM 402I, want to *automatically assign
>>> ROLE(s)* to the user based on a perticualr attribute/condition.
>>>
>>> 1- when user first time created in IDM from authoratative source , few
>>> "Birth right Role" to be assign
>>> 2- when a perticular attribute changes in user's profile (eg city value
>>> changes) then the role assignment shoule be change ( remove one assigned
>>> role & assigned one different role)
>>>
>>> Please revert how can i achieve this in IdM 402.
>>>
>>> Thanks in advance!
>>>
>>>

>> Greetings,
>> You would handle this with a Null driver and then create policy that
>> utilizes the Add/Remove Role actions.

>
> Could you assign a role to a dynamic group and do it that way instead?
>
> Are there any downsides to the dynamic group approach? (I.e. Loading up
> RRSD?)
>
>

Greetings Geoffrey,
With Dynamic Groups membership change will not be "triggered" or
"instant" (be that those members that are apart of the group via the
query, statically, or excluded). That is because Dynamic Groups are
evaluated based upon the time setting in the RRSD. Which by default is
60 minutes (1 hour). Therefore, it is possible that a change in role
assignments would not be seen for an hour.
Also, all of the DGs that have a Role associated to them have to
build and examined each evaluation run (by default every 60 minutes).
If you have lots of DGs with lots of user, there can be side effects...

If one wants attribute changes to "instantly" cause role (or
resource) assignments to change on a user, then I would recommend using
a Null Driver with policies that utilize the add/remove actions as
compared to using Dynamic Groups and assigning Roles to them. If the
changes do not have to "instant" and DGs are already in use, the continue.

Please note, that for Resources, you can not assign them to Groups,
only to user.

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Knowledge Partner
Knowledge Partner

Re: Automatic role assignment

On 10/1/2013 1:51 PM, Steven Williams wrote:
> On 10/01/2013 09:28 AM, Geoffrey Carman wrote:
>> On 10/1/2013 9:00 AM, Steven Williams wrote:
>>> On 10/01/2013 08:04 AM, ameet140 wrote:
>>>>
>>>> Hi,
>>>>
>>>> Greetings!
>>>>
>>>> I have one requirement in IDM 402I, want to *automatically assign
>>>> ROLE(s)* to the user based on a perticualr attribute/condition.
>>>>
>>>> 1- when user first time created in IDM from authoratative source , few
>>>> "Birth right Role" to be assign
>>>> 2- when a perticular attribute changes in user's profile (eg city value
>>>> changes) then the role assignment shoule be change ( remove one
>>>> assigned
>>>> role & assigned one different role)
>>>>
>>>> Please revert how can i achieve this in IdM 402.
>>>>
>>>> Thanks in advance!
>>>>
>>>>
>>> Greetings,
>>> You would handle this with a Null driver and then create policy that
>>> utilizes the Add/Remove Role actions.

>>
>> Could you assign a role to a dynamic group and do it that way instead?
>>
>> Are there any downsides to the dynamic group approach? (I.e. Loading up
>> RRSD?)
>>
>>

> Greetings Geoffrey,
> With Dynamic Groups membership change will not be "triggered" or
> "instant" (be that those members that are apart of the group via the
> query, statically, or excluded). That is because Dynamic Groups are
> evaluated based upon the time setting in the RRSD. Which by default is
> 60 minutes (1 hour). Therefore, it is possible that a change in role
> assignments would not be seen for an hour.


That makes sense.

I guess my point is that pre-RBPM we had the ESD/RBE driver, and
post-RBPM model, we have no direct replacement for that functionality.

It seems like an add on to RRSD or maybe somewhere else, as a package
would make sense to deliver, more as a functionality return from the ESD
driver.

> If one wants attribute changes to "instantly" cause role (or
> resource) assignments to change on a user, then I would recommend using
> a Null Driver with policies that utilize the add/remove actions as
> compared to using Dynamic Groups and assigning Roles to them. If the
> changes do not have to "instant" and DGs are already in use, the continue.
>
> Please note, that for Resources, you can not assign them to Groups,
> only to user.


Interesting and thanks for this info.



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Automatic role assignment

On 10/01/2013 09:00 AM, Steven Williams wrote:
> On 10/01/2013 08:04 AM, ameet140 wrote:
>>
>> Hi,
>>
>> Greetings!
>>
>> I have one requirement in IDM 402I, want to *automatically assign
>> ROLE(s)* to the user based on a perticualr attribute/condition.
>>
>> 1- when user first time created in IDM from authoratative source , few
>> "Birth right Role" to be assign
>> 2- when a perticular attribute changes in user's profile (eg city value
>> changes) then the role assignment shoule be change ( remove one assigned
>> role & assigned one different role)
>>
>> Please revert how can i achieve this in IdM 402.
>>
>> Thanks in advance!
>>
>>

> Greetings,
> You would handle this with a Null driver and then create policy that
> utilizes the Add/Remove Role actions.
>

Greetings,
Here is an example what that policy would look like (please note
that I am using GCVs) that I have for the add.
==============

<rule>
<description>employeeType-Changes-FullTime</description>
<comment xml:space="preserve">A user's employeeType Changes to
FullTime</comment>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-op-attr mode="nocase" name="employeeType"
op="changing-to">$fullTimeEmployee$</if-op-attr>
</and>
</conditions>
<actions>
<do-add-role id="$uaadmin$" role-id="$testRole$" url="$url$">
<arg-password>
<token-global-variable name="uapassword"/>
</arg-password>
<arg-dn>
<token-parse-dn dest-dn-format="ldap" src-dn-format="qualified-slash">
<token-xpath expression="@qualified-src-dn"/>
</token-parse-dn>
</arg-dn>
<arg-string name="description">
<token-text xml:space="preserve">'testing'</token-text>
</arg-string>
</do-add-role>
<do-add-association direct="true">
<arg-association>
<token-attr name="CN"/>
</arg-association>
</do-add-association>
</actions>
</rule>
==============

We have an example of this in the Administration Guide, but it is for
starting a workflow automatically. Adding/Removing a Role or Resource
is pretty much follows the same pattern.


--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.